Credential leaks from organisations hit a record high of 21% in the first half of 2024, up 9 percentage points from last year. The theft of commercial secrets and restricted information rose to 24% in the first half of 2024, an increase of 10 percentage points compared to the same period in 2023. Meanwhile, personal data theft incidents returned to pre-peak levels: dropping to 2022 levels in Q1 2024 to 37%, and then falling to 25% in Q2 2024.

In the first half of 2024, the industrial sector (39%), government agencies (36%), and transportation companies (29%) continued to lead in the share of leaks of commercial secrets and other restricted information. Notable victims include Hyundai Motor Europe and Volkswagen, with the latter losing documents on electric vehicle technology. IT companies are also at risk, with breaches involving internal processes and products accounting for 29% of incidents. In 2024, hackers allegedly accessed the source code of some Apple and AMD software.

Stolen credentials are often used for further attacks on these companies’ clients, primarily government organizations. Credential compromise is typically a step before more severe actions, such as theft of funds or system disruption. Ransomware was used in nearly a third of successful breaches involving data leaks. Dark web listings for government data heavily feature Middle Eastern countries (16%), with Asia (33%) in the lead, followed by Latin America and the Caribbean (18%). These regions are targeted by APT groups, mainly focusing on the public sector. Positive Technologies’ research on APT groups in the Middle East and Southeast Asia provides more details.

“Credentials are frequently sold on dark web forums, a key revenue source for cybercriminals. In March, access to a prominent UAE Bank’s website was listed for $10,000. The rise in these leaks is evident on the dark market—forums now offer access to dozens or hundreds of companies per post. In April, a listing was posted offering access to the infrastructure of 16 companies from various industries across Latin America, the Middle East, Europe, and Asia, with prices ranging from $250 to $5,000. According to the listing’s authors, these firms’ revenues range from $4 million to $2.8 billion. For instance, a UAE-based consumer electronics company with $6.5 million in revenue had its data valued at $400. In June, another listing offered credentials for over 400 companies, including access via Jira, GitHub, and GitLab,” notes Anna Golushko, Senior Analyst at Positive Technologies.

The number of dark web ads offering free information is nearly double those selling it (64% vs. 33%). This is because not all attackers aim to sell data; many demand ransom not to disclose it, though not all victims pay. In the first half of 2024, government organizations were often targeted specifically to steal personal data. More than half of ads on the dark web are priced under $1,000. Every tenth ad belongs to the most expensive category at $10,000 or more.

The most expensive offers (over $50,000) involve major financial institutions, retail giants, and IT companies. In Q2 2024, EDR developer Cylance suffered a cyberattack, resulting in 34 million emails and an unspecified volume of customer and employee data being sold for $750,000. Positive Technologies analysts highlight that every second successful attack on organizations in H1 2024 resulted in the leakage of confidential data. The largest number of incidents occurred in government agencies (13%), IT companies (12%), and industrial companies (11%).

Preventing data leaks requires a comprehensive approach, including tools to protect user devices, corporate networks, and the data itself. As corporate data infrastructures evolve into complex systems that are constantly changing rapidly, a unified solution is essential to safeguard information, regardless of its complexity or location.

APT groups are complex threat actors that deploy targeted attacks, active for years on end. These groups are often motivated by espionage, monetary gain, or in some cases, hacktivism. According to Kaspersky Intelligence, some of the most prominent groups in the region are MuddyWater, FruityArmor, Sidewinder. Kaspersky also works with legal authorities, providing them with the intelligence needed to track cybercriminals behind these attacks.

These threat actors use a wide range of techniques to infiltrate their victims in the region. Social engineering is a common tactic used on social media or email, such as posting a fake job advert targeting software developers. APT groups also deploy sophisticated modular malware like DeadGlyph and StealerBot, as well as weaponising legitimate, remote applications, online services and cloud platforms – a technique used by MuddyWater APT group to penetrate the targeted site. Furthermore, these groups can target third-party providers and infiltrate their victims through supply chains.

“The current geopolitical climate is a hotbed for APT activity, therefore, investigating these attacks and gaining intelligence on their movement is vital for security teams and corporations in Africa. Our research allows businesses and government entities to determine the significance of the threat posed, understand the attackers’ next move and accordingly be able to take the appropriate security steps to protect themselves,” said Amin Hasbini, Head of Global Research and Analysis team for Middle East, Turkiye and Africa at Kaspersky.

With every APT investigation, Kaspersky’s Global Research and Analysis Team (GReAT) publish comprehensive reports, available on Kaspersky’s Threat Intelligence Portal (https://apo-opa.co/3XTZYyc). The reports offer crucial APT detection and forensic capabilities, enabling effective mitigation and remediation.

To avoid falling victim to a targeted attack by APT groups, Kaspersky researchers also recommend implementing the following measures:

1. Limit access to third parties and require continuous inspection of access within their supply chain.
2. For endpoint-level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Next.
3. In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as the Kaspersky Anti-Targeted Attack Platform.
4. The energy sector and other critical infrastructures should use security solutions for operation technology endpoints and networks, such as Kaspersky Industrial CyberSecurity, to ensure comprehensive protection for all systems.
5. Upskill your cybersecurity team to tackle the latest threats with Kaspersky online training, developed by GReAT experts.
6. Educate employees depending on their IT knowledge with cybersecurity courses such as those available within the Kaspersky Security Awareness Platform.